Another real world example of this problem popped up on my feed today: a mass outbreak of coronavirus at a nightclub in the Netherlands. https://www.tubantia.nl/enschede/teller-loopt-hard-op-al-165-besmettingen-na-clubavond-in-enschedese-disco~acd3b192/ 165 cases were traced back to this club night, which shouldn’t have happened considering people were asked to present a negative test on entry. There’s a suggestion some people might have swapped, shared, and exchanged QR codes to get in. So you had this situation where all the QR codes were valid and showed everyone was clear, but at least one person might have dodged identity verification. It’s an extreme example, but it shows that problem around proving that “the person carrying the device is the person who owns the device”.